Because many existing antivirus technologies detect malicious programs (“malware”) by detecting or identifying unique digital signatures or fingerprints associated with known-malicious programs, malware authors have attempted to proliferate malware by generating thousands or potentially millions of unique variations of the same malicious program. Often, malware authors may create a unique variation of a malicious program by packing (e.g., compressing, encrypting, and/or otherwise obfuscating) the malicious program within a new program (referred to as a “packed program”). When the packed program is executed, additional code within the packed program may unpack (e.g., decompress and/or decrypt) and then execute the obfuscated malicious program. This packing process may enable the malicious program to evade detection by existing antivirus technologies.
Various techniques for unpacking obfuscated programs from packed programs have been developed to facilitate malware detection and analysis. Unfortunately, existing techniques for unpacking obfuscated programs from packed programs are generally unable to distinguish the code of an obfuscated program contained within a packed program from the code used by the packed program to unpack the malicious program. Accordingly, the instant disclosure identifies a need for additional and improved systems and methods for distinguishing code of a program obfuscated within a packed program.